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REMARKS 

The present application stands with its two independent claims 1 and 18 
rejected under 35 U.S.C. §1 03(a) as being unpatentable over the cited Bendinelli 
et al. (Bendinelli) reference in view of the cited Rabenko et al. (Rabenko) patent. 
The remaining dependent claims have been rejected under 35 U.S.C. §103(a) as 
being unpatentable over Bendinelli in view of Rabenko, and for certain claims, 
further in view of other cited references. For the reasons below, the two 
independent claims, 1 and 18, as presently amended, are believed to be 
unobvious over Bendinelli and Rabenko, and thus allowable. Accordingly, the 
dependent claims thereon should also be allowable. 

Applicant's invention is directed to a methodology that avoids collisions . 
and race conditions that could arise when you have a secure IPSec tunnel that 
traverses a NAT device that uses a heuristic methodology in translating 
addresses and port numbers for the purpose of directing a packet that is sent to 
a NAT'S global address to its actual destination's private address. As described 
in the specification and as claimed in the amended claims, this methodology is 
one in which when the NAT attempts to forward packets to a first endpoint that 
have been sent by a second endpoint to the NAT'S global address, which global 
address is not uniquely associated with the first endpoint, it does so by 
attempting to heuristically match outgoing and incoming security association 
identifiers, which are located within the packet and which security associations 
establish the tunnel. As described and claimed, such matching attempts may fail 
due to collisions and/or race conditions in the use of such security association 
identifiers in forwarding packets sent by the second endpoint to the first endpoint. 
In the described IPSec IKE embodiment, these security association identifiers 
are initiator and responder cookies, and in the described IPSec ESP 
embodiment, these security association identifiers are the incoming SPIs 
(Security Parameters Indices). Applicant's methodology, as defined in amended 
claims 1 and 18, prevents collisions and race conditions that can result when 
matching results fail when using security association identifiers in forwarding 
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packets from one endpoint to another on the tunnel through a NAT using such a 
heuristic approach. Advantageously, the race conditions and collisions than can 
occur using such security identifiers are eliminated or automatic recovery from 
such is provided by requiring a first endpoint to wait to send packets containing 
application data through the tunnel until it receives a response to a control packet 
that has been sent from the first endpoint to the second endpoint. 

Claims 1 and 18 have been amended to clarify the heuristic functioning of 
the NAT through which a secure tunnel between a first endpoint and a second 
endpoint passes, in accordance with the specification. Thus, these claims have 
been amended to state that the "in outgoing packets, sent from the first endpoint 
to the second endpoint, notes a packet's security association identifier located 
within the packet and translates a private address of the first endpoint to a 
shared global address that is not uniquely associated with the first endpoint and, 
in incoming packets, send from the second endpoint to the shared global 
address, notes a packet's security association identifier and translates the global 
address to which the packet is addressed to a private address, which address is 
determined by heuristically matching the second endpoint's address and 
incoming security association identifier with the first endpoint's private address 
and outgoing security association identifier", where "mismatches may occur due 
to collisions and/or race conditions in the use of security association identifiers". 

Bendinelli only describes resolving conflicts in addresses by NAT. There 
is no suggestion at all as to how to resolve conflicts that arise when the NAT is 
unable to identify its proper destination when it is using outgoing and incoming 
security association identifiers located in the packets to forward received packets 
to their proper destination, where the security associations are used to establish 
the tunnel. Rabenko has nothing to do with secure tunnels . (As an aside, the 
patent number of Rabenko has been repeatedly misstated throughout the 
prosecution of the present application, and is only correct on the PTO-892 that 
was forwarded with the first office action). The cited reference to column 97, 
lines 19-37 deals with techniques that make a FAX machine compatible with a 
packet network. A gateway box connected between a fax machine and the 
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Internet delays a FAX from prematurely retrying a connection when it doesn't get 
a response from the far end in the expected time period. Everything is based 
purely on timing and not on whether or not a response to a control packet is 
received before sending application data through a secure tunnel regardless of 
the timing involved, as per applicant's invention. 

Claims 1 and 18, as amended, are clearly not obvious over the 
combination of Bendinelli and Rabenko since nothing in either reference 
discloses or suggests the methodology according to the present invention for 
avoiding or automatically recovering from collisions from race conditions that can 
result when packets that are sent from a second endpoint to a first endpoint over 
a secure tunnel traversing a NAT which uses a methodology that forwards 
packets sent by the second endpoint by heuristicallyl matching outgoing and 
incoming security association identifiers located in the packets, which security 
associations establish the tunnel, and where the tunnel is operating under a 
secure protocol that is independent of whatever applications are running on the 
first and second endpoints. 

Inasmuch as the independent claims are believed to be allowable, the 
dependent claims thereon should also be allowable. 
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In view of the foregoing, allowance of all the claims presently in the 
application and passage to issue of the subject application is respectfully 
requested. If the Examiner should feel that the application is not yet in a 
condition for allowance and that a telephone interview would be useful, he is 
invited to contact applicants' undersigned attorney at 973, 386-8252. 
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